A small army of security and privacy researchers has called on Google to automatically encrypt all data transmitted via its Gmail, Google Docs, and Google Calendar services.
Google already uses Hypertext Transfer Protocol Secure (https) encryption to mask login information on this trio of cloud-based web-based applications. And netizens have the option of turning on https for all transmissions. But full-fledged https protection isn't flipped on by default.
"Google's default settings put customers at risk unnecessarily," reads a letter lobbed to Google CEO Eric Schmidt by 37 academics and researchers. "Google's services protect customers' usernames and passwords from interception and theft. However, when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google's servers in the clear, allowing anyone with the right tools to steal that information."
Signatories includes Harvard-based Google watcher Benjamin Edelman; Chris Hoofnagle, the director of Information Privacy Programs at Berkeley Center for Law & Technology; and Ronald L. Rivest, the R in RSA.
In the past, Google has said it doesn't automatically enable https for performance reasons. "https can make your mail slower," the company explained in a July 2008 blog post announcing Gmail's https-session option. "Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data. That's why we leave the choice up to you."
But 37 researchers see things a differently. "Once a user has loaded Google Mail or Docs in their browser, performance does not depend upon a low latency Internet connection," they write. "The user's interactions with Google's applications typically do not depend on an immediate response from Google's servers. This separation of the application from the Internet connection enables Google to offer 'offline' versions of its most popular Web applications."
Even where low latency matters, they say, outfits such as Bank of America, American Express, and Adobe have protected their via https without a heavy performance hit. Adobe automatically encrypts Photo Express sessions.
Of course, another good example is...Google itself. The company does automatic encryption with Google Health, Google Voice, AdSense, and Adwords. "Google's engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense - we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default," the researchers write.
The problem, they say, is that everyday netizens don't realize the importance of encryption - and that Google fails to properly protect them from their own ignorance. Gmail now includes a setting that lets you "always use https." But the researchers complain that most users don't know it's there. And with Docs and Calendar, they point out, users can't use session encryption unless they remember to type https into their browser address bar every time they use the services.
They also take issue with Google's use of a single authentication cookie for all three services. Since users needn't reenter their usernames and passwords when they switch from one service to another, a miscreant who has captured a cookie on Docs can listen into Gmail - even when Gmail's "always use https" switch is flipped on.
"This makes Docs and Calendar sessions the weakest link in the chain of security, and attackers can use this cookie information to steal far more important data that would otherwise have been protected."
If Google refuses to turn on https by default, the researchers say, the company should at least make sure that users understand the risks of encryption-less transmissions. There are four things they suggest:
* Place a link or checkbox on the login page for Gmail, Docs, and Calendar that causes that session to be conducted entirely over https. This is similar to the "remember me on this computer" option already listed on various Google login pages. As an example, the text next to the option could read "protect all my data using encryption.'
* Increase visibility of the "always use https" configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.
* Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.
* Make the "always use https" option universal, so that it applies to all of Google's products. Gmail users who set this option should have their Docs and Calendar sessions equally protected.
We have asked Google for a response to the letter, and once it arrives, we'll toss it your way. Odd are, it will be completely non-committal.
In defense of Google, the company does go farther than many other big-name web outfits. As the researchers point out in their letter, Microsoft Hotmail, Yahoo Mail, Facebook, and MySpace don't even offer an https option. But the 37 hold Google to a higher standard. "Google has made important privacy promises to users, and users naturally and reasonably expect Google to follow through on those promises."
No responsibility can be taken for the content of external Internet sites.
Return to internet news headlines
View Internet News Archive